From 6c69164a590451ab98ed7463b612dfd99ab8186f Mon Sep 17 00:00:00 2001
From: Samuel Dionne-Riel <samuel@dionne-riel.com>
Date: Mon, 17 Oct 2022 17:34:00 -0400
Subject: OVE-20221017-0001: Add paragraph about possible RCE (#559)

---
 blog/OVE-20221017-0001.markdown | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/blog/OVE-20221017-0001.markdown b/blog/OVE-20221017-0001.markdown
index 1ca7f01..2726404 100644
--- a/blog/OVE-20221017-0001.markdown
+++ b/blog/OVE-20221017-0001.markdown
@@ -23,6 +23,10 @@ It is unknown at this time if PolyMC is compromised, but software like this
 being in the hands of reactionaries is a very sketchy situation. I am monitoring
 this situation and will give updates when I can.
 
+It is unknown if it is safe to run existing installations of PolyMC, as [it
+reportedly fetches metadata about .jar files to run at runtime](https://github.com/NixOS/nixpkgs/issues/196460)
+from a now presumably untrustworthy service.
+
 If you are a user of PolyMC, it may be best to uninstall it until we can get
 more information about this emerging situation. I am treating this as a
 compromise of the upstream because that is the least bad way to describe this.
-- 
cgit v1.2.3